Date: Sat, 19 Jun 1999 18:52:23 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: "Brian F. Feldman" <green@unixhelp.org> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Doug Rabson <dfr@nlsystems.com>, Ruslan Ermilov <ru@ucb.crimea.ua>, ugen@xonix.com, hackers@FreeBSD.ORG, luigi@FreeBSD.ORG Subject: Re: Firewalls (was Re: Introduction) Message-ID: <Pine.BSF.3.95.990619184950.13715C-100000@current1.whistle.com> In-Reply-To: <Pine.BSF.4.10.9906191105280.99153-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
As a contributor to ipfw, notice that I will be sticking my oar into the water when it comes to deleting it unless I'm very sure that the ipf stuff is better. Unless you're Danish you don't just get to delete bits of the tree without a lot of agreement, especially from those who are working on it.. (in this case luigi and I would both be extrememly interested). On Sat, 19 Jun 1999, Brian F. Feldman wrote: > On 19 Jun 1999, Dag-Erling Smorgrav wrote: > > > "Brian F. Feldman" <green@unixhelp.org> writes: > > > It might be worth (discussion of) making ipfilter the firewall of > > > choice for 4.0. There would of course be rule conversion > > > scripts/programs (ipfw->ipf(5)), and ipfilter would be converted to > > > a KLD, cruft removed (I'm going to work on these), and ipfilter KLD > > > support (currently options IPFILTER_LKM) made a non-option. It seems > > > that our pretty proprietary ipfw is no longer a good idea. > > > > If ipfilter can to everything ipfw can (judging from ipf(5), it can) > > and you even manage to keep an ipfw(8) command around so those who > > want kan keep using the old syntax still can, then I for one have no > > objections. > > > > Rewriting ipfw rules to ipfilter rules on the fly should be trivial; a > > simple Perl script should be sufficient. > > Not quite as trivial as you think. ipfw and ipf are completely backwards when it comes > to rule order: in ipfw, the first rule matched takes effect; in ipf, the last rule matched > takes effect. Plus, ipf doesn't have rule numbers (but there's similar functionailty.) > If you think you can get used to them both enough to tackle this, I'll handle other > things, and we can have a working replacement for crufty old ipfw. Note that Luigi's > extra ipfw functionality and my extra ipfw functionality _will_ be wanted in ipf > before everyone is necessarily willing to switch. I have a feeling there will be some > holdouts that, even if ipfw is removed, they'll MFS (merge from stable) ipfw back just > because they want to keep the old way. Ipfw could be dead for 4.0-RELEASE, as I see it > now. More discussion is, however, necessary. > > > > > DES > > -- > > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > > Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___ > green@FreeBSD.org _ __ ___ | _ ) __| \ > FreeBSD: The Power to Serve! _ __ | _ \._ \ |) | > http://www.FreeBSD.org/ _ |___/___/___/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.990619184950.13715C-100000>